Re: web auth on 3560

Hello guys,

following are the logs i get from the TACACS access control debugging:

02:30:39: TPLUS: Queuing AAA Authentication request 92 for processing
02:30:39: TPLUS: processing authentication start request id 92
02:30:39: TPLUS: Authentication start packet created for 92(myusername)
02:30:39: TPLUS: Using server x.x.x.x
02:30:39: TPLUS(0000005C)/0/NB_WAIT/42DA490: Started 5 sec timeout
02:30:39: TPLUS(0000005C)/0/NB_WAIT: socket event 2
02:30:39: TPLUS(0000005C)/0/NB_WAIT: wrote entire 46 bytes request
02:30:39: TPLUS(0000005C)/0/READ: socket event 1
02:30:39: TPLUS(0000005C)/0/READ: Would block while reading
02:30:40: TPLUS(0000005C)/0/READ: socket event 1
02:30:40: TPLUS(0000005C)/0/READ: read entire 12 header bytes (expect
16 bytes data)
02:30:40: TPLUS(0000005C)/0/READ: socket event 1
02:30:40: TPLUS(0000005C)/0/READ: read entire 28 bytes response
02:30:40: TPLUS(0000005C)/0/42DA490: Processing the reply packet
02:30:40: TPLUS: Received authen response status GET_PASSWORD (8)
02:31:33: TPLUS: Queuing AAA Authentication request 93 for processing
02:31:33: TPLUS: processing authentication start request id 93

I am entering the username and password on the login screen but it
seems like TACACS is not reading info that the switch is sending to it
properly. I get an Authentication failed! message and on the TACACS
side under failed attempts under Message Type i see unknown NAS. Am i
missing something on the TACACS side?

Any and all help on this would be appreciated!

Thanks

On Mon, Apr 12, 2010 at 10:03 AM, Usama Pervaiz <chaudri_at_gmail.com> wrote:
> Hello all,
>
> I am trying a test config of web auth on a 3560. We have a ACS server
> version 4.2 running TACACS+ for authenticating all of our access to
> the switches and routers. I have not configured dot1x as the time out
> for non dot1x hosts is unacceptable (approximately 90sec by default).
> So I am using web auth as my main authorization. Following is the
> config on the switch I am testing on.
>
> aaa new-model
> !
> aaa authentication login whatever group tacacs+ local
> aaa authorization exec default group tacacs+ local
> aaa authorization commands 15 default group tacacs+ none
> aaa authorization auth-proxy default group tacacs+ local
> aaa accounting commands 7 default start-stop group tacacs+
> aaa accounting commands 8 default start-stop group tacacs+
> aaa accounting commands 15 default start-stop group tacacs+
> aaa accounting system default start-stop group tacacs+
> !
> ip dhcp snooping
> ip device tracking
> ip auth-proxy proxy http success redirect http://www.xxxxxxxx
> ip admission proxy http success redirect http://www.xxxxxxxxx
> ip admission name WEBAUTH proxy http inactivity-time 60
> !
> interface GigabitEthernet0/33
> switchport access vlan 10
> switchport mode access
> ip access-group PRE-WEBAUTH in
> authentication order webauth
> no mdix auto
> storm-control unicast level pps 10k 9.5k
> storm-control action trap
> ip admission WEBAUTH
> !
> ip access-list extended PRE-WEBAUTH
> permit udp any any eq bootps
> permit udp any any eq domain
> deny ip any any
> !
> tacacs-server host x.x.x.x
> tacacs-server host x.x.x.x
> tacacs-server directed-request
> tacacs-server key 7 xxxxxxxxx
>
> With this config the authentication prompt displays but when I put my
> credentials in I get a log in failure.I think my config on the switch
> is correct but I have no idea the config on the TACACS+ side. All the
> documentation out there is for RADIUS. I must confess I do not have
> any exposure to ACS environment. I know the basic differences between
> TACACS and RADIUS but not enough to figure this out. Any help or
> reference to any documentation for web auth with TACACS would be
> greatly appreciated!
>
> Thanks,
> Usama

Blogs and organic groups at http://www.ccie.net
Received on Tue Apr 13 2010 - 14:45:00 ART